Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves
Size: px
Start display at page:

Download "Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves"

Transcription

1 CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA, France Nicolas.Estibals@loria.fr Diego F. Aranha Jean-Luc Beuchat Jérémie Detrey Institute of Computing, University of Campinas, Brazil Graduate School of Systems and Information Engineering, University of Tsukuba, Japan CARAMEL project-team, LORIA, INRIA / Université de Lorraine / CNRS, France /* EPI CARAMEL */ C,A, /* Cryptologie, Arithmétique : */ R,a, /* Matériel et Logiciel */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for (;i--;e=scanf("%" "d",d+i));for(a =*d; ++i<a ;++Q[ i*i% A],R= i[q]? R:i); for(;i --;) for(m =A;M --;N +=!M*Q [E%A ],e+= Q[(A +E*E- R*L* L%A) %A]) for( E=i,L=M,a=4;a;C= i*e+r*m*l,l=(m*e +i*l) %A,E=C%A+a --[d]);printf ("%d" "\n", (e+n* N)/2 /* cc caramel.c; echo f3 f2 f1 f0 p./a.out */ -A);}

2 Pairings and cryptology used as a primitive in many protocols and devices Boneh Lynn Shacham short signature Boneh Franklin identity-based encryption... N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 1 / 14

3 Pairings and cryptology used as a primitive in many protocols and devices Boneh Lynn Shacham short signature Boneh Franklin identity-based encryption... implementations needed for various targets online server high-speed software smart card low-resource hardware reach 128 bits of security (equivalent to AES) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 1 / 14

4 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14

5 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14

6 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab Symmetric pairing (Type-1): G 1 = G 2, exploited by some protocols N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14

7 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab Symmetric pairing (Type-1): G 1 = G 2, exploited by some protocols Choice of the groups: G 1, G 2 : related to an algebraic curve G T : related to the field of definition of the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14

8 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

9 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

10 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

11 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F Solutions to the large base field needed by supersingular curves (Pairing 2010) Use fields of composite extension degree: benefit from faster field arithmetic but requires careful security analysis N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

12 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F Solutions to the large base field needed by supersingular curves (Pairing 2010) Use fields of composite extension degree: benefit from faster field arithmetic but requires careful security analysis (This work) Use genus-2 hyperelliptic curves: base field will be F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

13 Elliptic curves E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

14 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

15 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O L P,Q Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

16 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O Q R L P,Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

17 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O V R Q R L P,Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

18 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O V R Q R L P,Q P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

19 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 In practice: K is a finite field F q E(F q ) is a finite group O V R Q R L P,Q P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

20 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 In practice: K is a finite field F q O V R E(F q ) is a finite group l: a large prime dividing #E(F q ) Use the cyclic subgroup Q R L P,Q E(F q )[l] = {P [l]p = O} P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

21 Genus-2 hyperelliptic curves C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

22 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

23 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 P 1 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

24 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 P 1 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

25 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 R 1 P 1 R 2 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

26 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 R 1 R 2 P 1 R 1 R 2 Q 1 {P 1, P 2 } + {Q 1, Q 2 } = {R 1, R 2 } N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

27 Genus-2 hyperelliptic curves C(K) not a group! But pairs of points {P 1, P 2 } C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O Q 2 More formally use the Jacobian Jac C (K) P 2 R 1 R 2 P 1 R 1 R 2 Q 1 {P 1, P 2 } + {Q 1, Q 2 } = {R 1, R 2 } N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

28 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q P 1 R 1 R 2 Q 1 D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

29 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q general form of the elements (called divisor) P 1 R 1 R 2 Q 1 D P = (P 1 )+(P 2 ) 2(O) D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

30 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q general form of the elements (called divisor) P 1 R 1 R 2 Q 1 D P = (P 1 )+(P 2 ) 2(O) degenerate form (P) (O) D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

31 Computing the pairing: Miller s algorithm (elliptic case) e : G 1 G 2 G T Reduced Tate pairing O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

32 Computing the pairing: Miller s algorithm (elliptic case) P, Reduced Tate pairing e : E(F q )[l] G 2 G T O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

33 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] G T P, Q k: embedding degree (curve parameter) O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

34 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] µ l F q k P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

35 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] µ l F q k P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O Miller functions: f n,p N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

36 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

37 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P g [n]p,[n ]P derived from the addition of [n]p and [n ]P g [n]p,[n ]P = L [n]p,[n ]P V [n+n ]P [n]p O [n ]P V [n+n ]P L [n]p,[n ]P [n + n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

38 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P g [n]p,[n ]P derived from the addition of [n]p and [n ]P compute f l,p thanks to an addition chain in practice: double-and-add log 2 l iterations g [n]p,[n ]P = L [n]p,[n ]P V [n+n ]P [n]p O [n ]P V [n+n ]P L [n]p,[n ]P [n + n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

39 Miller s algorithm (hyperelliptic case) e : G 1 G 2 G T O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

40 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

41 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

42 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D g [n]d,[n ]D = L [n]d,[n ]D V [n+n ]D O g [n]d,[n ]D derived from the addition of [n]d and [n ]D use Cantor s addition algorithm [n]d [n + n ]D [n ]D L [n]d,[n ]D V [n+n ]D N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

43 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D g [n]d,[n ]D = L [n]d,[n ]D V [n+n ]D O g [n]d,[n ]D derived from the addition of [n]d and [n ]D use Cantor s addition algorithm double-and-add algorithm log 2 l iterations [n]d L [n]d,[n ]D [n + n ]D V [n+n ]D [n ]D iterations are more complex N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

44 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

45 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

46 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

47 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = (P 8 ) (O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

48 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = ([8]P) (O) octupling acts on the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

49 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = ([8]P) (O) octupling acts on the curve f 8,D has a much simpler expression than f 2,D N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

50 Constructing the Optimal Eta pairing Algorithm Tate double & add #iterations 2m Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

51 Constructing the Optimal Eta pairing Algorithm #iterations Tate double & add 2m Tate octuple & add 2m 3 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

52 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. double & add octuple & add η T pairing 2m 2m 3 m 2 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

53 Constructing the Optimal Eta pairing Algorithm Tate Tate Barreto et al. double & add octuple & add η T pairing Optimal Ate pairing #iterations 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

54 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

55 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing cannot use 2 m -th power Verschiebung: does not act on the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

56 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 3 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing cannot use 2 m -th power Verschiebung: does not act on the curve but can use 2 3m -th power Verschiebung 33% improvement compared to Barreto et al. s work N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

57 Considering degenerate divisors Some protocols allow to choose the form of one or two input divisors Consider degenerate divisors of the form (P) (O) only 2 coordinates in F 2 m to represent such a divisor (instead of 4 coordinates for a general one) since octupling acts on the curve: we can work with a point! [8]((P) (O)) = ([8]P) (O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 10 / 14

58 Considering degenerate divisors Some protocols allow to choose the form of one or two input divisors Consider degenerate divisors of the form (P) (O) only 2 coordinates in F 2 m to represent such a divisor (instead of 4 coordinates for a general one) since octupling acts on the curve: we can work with a point! [8]((P) (O)) = ([8]P) (O) We may compute the pairing of two general divisors (GG) one degenerate and one general divisor (DG) halves the amount of computation lot of protocols allow this two degenerate divisors (DD) halves again the amount of computation some protocols still compatible N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 10 / 14

59 Implementations for Intel Core 2 Software implementation Computation time ( 10 6 cycles) Barreto Naehrig Supersingular elliptic E(F ) E(F 3 359) Genus-2 supersingular DD DG GG N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 11 / 14

60 Software implementation Implementations for Intel Core 2 and Nehalem architecture Use of the native binary field multiplier on Nehalem Computation time ( 10 6 cycles) Barreto Naehrig Supersingular elliptic E(F ) E(F 3 359) Genus-2 supersingular DD DG GG N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 11 / 14

61 Hardware implementation Optimal Eta pairing on general divisors Implemented on a finite field coprocessor F addition multiplication Frobenius endomorphism Post place-and-route estimations on a Virtex 6-LX 130T results Implementation Curve Area Time Area time (device usage) (ms) Cheung et al. E(F p254 ) 35 % Ghosh et al. E(F ) 76 % Estibals E(F ) 8 % This work C 0 (F 2 367) (GG) 7 % N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 12 / 14

62 Conclusion A novel pairing algorithm shortening Miller s loop Competitive timings compared to genus-1 pairings Comparable timings against non-symmetric pairings N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 13 / 14

63 Conclusion A novel pairing algorithm shortening Miller s loop Competitive timings compared to genus-1 pairings Comparable timings against non-symmetric pairings Most efficient symmetric pairing implementation for both software and hardware when at least one divisor is degenerate (DG and DD case) First hardware implementation of a genus-2 pairing reaching 128 bits of security N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 13 / 14

64 Conclusion A novel pairing algorithm shortening Miller s loop Competitive timings compared to genus-1 pairings Comparable timings against non-symmetric pairings Most efficient symmetric pairing implementation for both software and hardware when at least one divisor is degenerate (DG and DD case) First hardware implementation of a genus-2 pairing reaching 128 bits of security Perspectives Implement optimal Ate pairing on this curve (work in progress) Use theta functions for faster curve arithmetic N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 13 / 14

65 Thank you for your attention! Questions? N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 14 / 14

Similar documents

Reducing the Key Size of Rainbow using Non-Commutative Rings

Reducing the Key Size of Rainbow using Non-Commutative Rings Reducing the Key Size of Rainbow using Non-Commutative Rings Takanori Yasuda (Institute of systems, Information Technologies and Nanotechnologies (ISIT)), Kouichi Sakurai (ISIT, Kyushu university) and

More information

Arithmetic operators for pairing-based cryptography

Arithmetic operators for pairing-based cryptography 7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre

More information

Optimised versions of the Ate and Twisted Ate Pairings

Optimised versions of the Ate and Twisted Ate Pairings Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.

More information

Some Efficient Algorithms for the Final Exponentiation of η T Pairing

Some Efficient Algorithms for the Final Exponentiation of η T Pairing Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.

More information

Block Wiedemann likes Schirokauer maps

Block Wiedemann likes Schirokauer maps Block Wiedemann likes Schirokauer maps E. Thomé INRIA/CARAMEL, Nancy. /* EPI CARAMEL */ C,A, /* Cryptologie, Arithmétique : */ R,a, /* Matériel et Logiciel */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for

More information

Arithmetic Operators for Pairing-Based Cryptography

Arithmetic Operators for Pairing-Based Cryptography Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1

More information

Pairings for Cryptography

Pairings for Cryptography Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),

More information

Arithmetic Operators for Pairing-Based Cryptography

Arithmetic Operators for Pairing-Based Cryptography Arithmetic Operators for Pairing-Based Cryptography J.-L. Beuchat 1 N. Brisebarre 2 J. Detrey 3 E. Okamoto 1 1 University of Tsukuba, Japan 2 École Normale Supérieure de Lyon, France 3 Cosec, b-it, Bonn,

More information

An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation

An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation Jean-Luc Beuchat 1 Masaaki Shirase 2 Tsuyoshi Takagi 2 Eiji Okamoto 1 1 Graduate School of Systems and

More information

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three

More information

Implementing Pairing-Based Cryptosystems

Implementing Pairing-Based Cryptosystems Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:

More information

Pairings at High Security Levels

Pairings at High Security Levels Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.

More information

Ate Pairing on Hyperelliptic Curves

Ate Pairing on Hyperelliptic Curves Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a

More information

SM9 identity-based cryptographic algorithms Part 1: General

SM9 identity-based cryptographic algorithms Part 1: General SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...

More information

Background of Pairings

Background of Pairings Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings

More information

Représentation RNS des nombres et calcul de couplages

Représentation RNS des nombres et calcul de couplages Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29

More information

Katherine Stange. ECC 2007, Dublin, Ireland

Katherine Stange. ECC 2007, Dublin, Ireland in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence

More information

Implementing the Weil, Tate and Ate pairings using Sage software

Implementing the Weil, Tate and Ate pairings using Sage software Sage days 10, Nancy, France Implementing the Weil, Tate and Ate pairings using Sage software Nadia EL MRABET LIRMM, I3M, Université Montpellier 2 Saturday 11 th October 2008 Outline of the presentation

More information

On the complexity of computing discrete logarithms in the field F

On the complexity of computing discrete logarithms in the field F On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of

More information

Efficient Tate Pairing Computation Using Double-Base Chains

Efficient Tate Pairing Computation Using Double-Base Chains Efficient Tate Pairing Computation Using Double-Base Chains Chang an Zhao, Fangguo Zhang and Jiwu Huang 1 Department of Electronics and Communication Engineering, Sun Yat-Sen University, Guangzhou 510275,

More information

Hyperelliptic curves

Hyperelliptic curves 1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic

More information

Non-generic attacks on elliptic curve DLPs

Non-generic attacks on elliptic curve DLPs Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith

More information

Constructing Abelian Varieties for Pairing-Based Cryptography

Constructing Abelian Varieties for Pairing-Based Cryptography for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers

More information

On the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings

On the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings On the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings Sanjit Chatterjee, Darrel Hankerson, and Alfred Menezes 1 Department of Combinatorics & Optimization, University

More information

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got

More information

Efficient Pairing Computation on Supersingular Abelian Varieties

Efficient Pairing Computation on Supersingular Abelian Varieties Efficient airing Computation on Supersingular Abelian Varieties aulo S. L. M. Barreto 1, Steven Galbraith 2, Colm Ó héigeartaigh 3, and Michael Scott 3 1 Department of Computing and Digital Systems Engineering,

More information

Pairing-Friendly Elliptic Curves of Prime Order

Pairing-Friendly Elliptic Curves of Prime Order Pairing-Friendly Elliptic Curves of Prime Order Paulo S. L. M. Barreto 1 Michael Naehrig 2 1 University of São Paulo pbarreto@larc.usp.br 2 RWTH Aachen University mnaehrig@ti.rwth-aachen.de SAC 2005 Outline

More information

Aspects of Pairing Inversion

Aspects of Pairing Inversion Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear

More information

A Remark on Implementing the Weil Pairing

A Remark on Implementing the Weil Pairing A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr

More information

High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields

High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields Santosh Ghosh, Dipanwita Roychowdhury, and Abhijit Das Computer Science and Engineering

More information

Algorithms for integer factorization and discrete logarithms computation

Algorithms for integer factorization and discrete logarithms computation /* */ C,A, /* */ R,a, /* */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for (;i--;e=scanf("%" "d",d+i));for(a =*d; ++i

More information

A brief overwiev of pairings

A brief overwiev of pairings Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

More information

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Constructing Pairing-Friendly Elliptic Curves for Cryptography Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography

More information

Hardware Acceleration of the Tate Pairing in Characteristic Three

Hardware Acceleration of the Tate Pairing in Characteristic Three Hardware Acceleration of the Tate Pairing in Characteristic Three CHES 2005 Hardware Acceleration of the Tate Pairing in Characteristic Three Slide 1 Introduction Pairing based cryptography is a (fairly)

More information

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things l Efficient algorithms l Suitable elliptic curves We have

More information

Montgomery Algorithm for Modular Multiplication with Systolic Architecture

Montgomery Algorithm for Modular Multiplication with Systolic Architecture Montgomery Algorithm for Modular Multiplication with ystolic Architecture MRABET Amine LIAD Paris 8 ENIT-TUNI EL MANAR University A - MP - Gardanne PAE 016 1 Plan 1 Introduction for pairing Montgomery

More information

Number Theory in Cryptology

Number Theory in Cryptology Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011 What is Number Theory? Theory of natural numbers N = {1,

More information

Efficient and Generalized Pairing Computation on Abelian Varieties

Efficient and Generalized Pairing Computation on Abelian Varieties ECC 2008 Efficient and Generalized Pairing Computation on Abelian Varieties Hyang-Sook Lee Ewha Womans University Korea Joint Work with Eunjeong Lee (North Carolina State University) Cheol-Min Park (EWHA)

More information

A Dierential Power Analysis attack against the Miller's Algorithm

A Dierential Power Analysis attack against the Miller's Algorithm A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,

More information

High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields

High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields Santosh Ghosh, Dipanwita Roy Chowdhury, and Abhijit Das Computer Science and Engineering

More information

Fixed Argument Pairings

Fixed Argument Pairings craig.costello@qut.edu.au Queensland University of Technology LatinCrypt 2010 Puebla, Mexico Joint work with Douglas Stebila Pairings A mapping e : G 1 G 2 G T : P G 1, Q G 2 and e(p, Q) G T : groups are

More information

The Eta Pairing Revisited

The Eta Pairing Revisited 1 The Eta Pairing Revisited F. Hess, N.P. Smart and F. Vercauteren Abstract In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Baretto

More information

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is

More information

Constructing Families of Pairing-Friendly Elliptic Curves

Constructing Families of Pairing-Friendly Elliptic Curves Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding

More information

Scalar multiplication in compressed coordinates in the trace-zero subgroup

Scalar multiplication in compressed coordinates in the trace-zero subgroup Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland

More information

A Digital Signature Scheme based on two hard problems

A Digital Signature Scheme based on two hard problems A Digital Signature Scheme based on two hard problems Dimitrios Poulakis and Robert Rolland Abstract In this paper we propose a signature scheme based on two intractable problems, namely the integer factorization

More information

An Introduction to Pairings in Cryptography

An Introduction to Pairings in Cryptography An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings

More information

Analysis of Optimum Pairing Products at High Security Levels

Analysis of Optimum Pairing Products at High Security Levels Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences

More information

The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms

The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms by Michael Shantz A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master

More information

Modular Multiplication in GF (p k ) using Lagrange Representation

Modular Multiplication in GF (p k ) using Lagrange Representation Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier

More information

Generating more MNT elliptic curves

Generating more MNT elliptic curves Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade

More information

The Final Exponentiation in Pairing-Based Cryptography

The Final Exponentiation in Pairing-Based Cryptography The Final Exponentiation in Pairing-Based Cryptography Barış Bülent Kırlar Department of Mathematics, Süleyman Demirel University, 3220, Isparta, Turkey Institute of Applied Mathematics, Middle East Technical

More information

An Analysis of Affine Coordinates for Pairing Computation

An Analysis of Affine Coordinates for Pairing Computation An Analysis of Affine Coordinates for Pairing Computation Kristin Lauter, Peter L. Montgomery, and Michael Naehrig Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA {klauter, petmon, mnaehrig}@microsoft.com

More information

An FPGA-based Accelerator for Tate Pairing on Edwards Curves over Prime Fields

An FPGA-based Accelerator for Tate Pairing on Edwards Curves over Prime Fields . Motivation and introduction An FPGA-based Accelerator for Tate Pairing on Edwards Curves over Prime Fields Marcin Rogawski Ekawat Homsirikamol Kris Gaj Cryptographic Engineering Research Group (CERG)

More information

Class polynomials for abelian surfaces

Class polynomials for abelian surfaces Class polynomials for abelian surfaces Andreas Enge LFANT project-team INRIA Bordeaux Sud-Ouest andreas.enge@inria.fr http://www.math.u-bordeaux.fr/~aenge LFANT seminar 27 January 2015 (joint work with

More information

Cyclic Groups in Cryptography

Cyclic Groups in Cryptography Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic

More information

標数 3 の超特異楕円曲線上の ηt ペアリングの高速実装

標数 3 の超特異楕円曲線上の ηt ペアリングの高速実装 九州大学学術情報リポジトリ Kyushu University Institutional Repository 標数 3 の超特異楕円曲線上の ηt ペアリングの高速実装 川原, 祐人九州大学大学院数理学府 https://doi.org/10.15017/21704 出版情報 :Kyushu University, 2011, 博士 ( 機能数理学 ), 課程博士バージョン :published

More information

Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields

Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian

More information

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such Vol.17 No.6 J. Comput. Sci. & Technol. Nov. 2002 Selection of Secure Hyperelliptic Curves of g = 2 Based on a Subfield ZHANG Fangguo ( ) 1, ZHANG Futai ( Ξ) 1;2 and WANG Yumin(Π±Λ) 1 1 P.O.Box 119 Key

More information

FURTHER REFINEMENT OF PAIRING COMPUTATION BASED ON MILLER S ALGORITHM

FURTHER REFINEMENT OF PAIRING COMPUTATION BASED ON MILLER S ALGORITHM Unspecified Journal Volume 00, Number 0, Pages 000 000 S????-????(XX)0000-0 FURTHER REFINEMENT OF PAIRING COMPUTATION BASED ON MILLER S ALGORITHM CHAO-LIANG LIU, GWOBOA HORNG, AND TE-YU CHEN Abstract.

More information

The Eta Pairing Revisited

The Eta Pairing Revisited The Eta Pairing Revisited F. Hess 1, N. Smart 2, and Frederik Vercauteren 3 1 Technische Universität Berlin, Fakultät II, Institut für Mathematik, MA 8-1, Strasse des 17. Juni 136, D-10623 Berlin, Germany.

More information

PAIRINGS ON HYPERELLIPTIC CURVES. 1. Introduction

PAIRINGS ON HYPERELLIPTIC CURVES. 1. Introduction PAIRINGS ON HYPERELLIPTIC CURVES JENNIFER BALAKRISHNAN, JULIANA BELDING, SARAH CHISHOLM, KIRSTEN EISENTRÄGER, KATHERINE E. STANGE, AND EDLYN TESKE Dedicated to the memory of Isabelle Déchène (1974-2009)

More information

Efficient Computation of Roots in Finite Fields

Efficient Computation of Roots in Finite Fields Efficient Computation of Roots in Finite Fields PAULO S. L. M. BARRETO (pbarreto@larc.usp.br) Laboratório de Arquitetura e Redes de Computadores (LARC), Escola Politécnica, Universidade de São Paulo, Brazil.

More information

On compressible pairings and their computation

On compressible pairings and their computation On compressible pairings and their computation Michael Naehrig 1, Paulo S. L. M. Barreto 2, and Peter Schwabe 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O.

More information

The Realm of the Pairings. Paulo S. L. M. Barreto

The Realm of the Pairings. Paulo S. L. M. Barreto The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC 2013 for the invitation! Accompanying paper: joint work with D. Aranha, P. Longa and J. Ricardini. I know I

More information

Discrete Logarithm Computation in Hyperelliptic Function Fields

Discrete Logarithm Computation in Hyperelliptic Function Fields Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University

More information

Fast Formulas for Computing Cryptographic Pairings

Fast Formulas for Computing Cryptographic Pairings Fast Formulas for Computing Cryptographic Pairings Craig Costello craig.costello@qut.edu.au Queensland University of Technology May 28, 2012 1 / 47 Thanks: supervisors and co-authors Prof. Colin Boyd Dr.

More information

Multi-core Implementation of the Tate Pairing over Supersingular Elliptic Curves

Multi-core Implementation of the Tate Pairing over Supersingular Elliptic Curves Multi-core Implementation of the Tate Pairing over Supersingular Elliptic Curves Jean-Luc Beuchat 1, Emmanuel López-Trejo, Luis Martínez-Ramos 3, Shigeo Mitsunari 4, and Francisco Rodríguez-Henríquez 3

More information

A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES

A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES DAVID FREEMAN 1, MICHAEL SCOTT 2, AND EDLYN TESKE 3 1 Department of Mathematics University of California, Berkeley Berkeley, CA 94720-3840 USA dfreeman@math.berkeley.edu

More information

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map Jung Hee Cheon, Sungmo Park, Sangwoo Park, and Daeho Kim Electronics and Telecommunications Research Institute, 161 Kajong-Dong,Yusong-Gu,

More information

A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field

A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field Taichi Sumo, Yuki Mori (Okayama University) Yasuyuki Nogami (Graduate School of Okayama University) Tomoko Matsushima

More information

A FPGA pairing implementation using the Residue Number System. Sylvain Duquesne, Nicolas Guillermin

A FPGA pairing implementation using the Residue Number System. Sylvain Duquesne, Nicolas Guillermin A FPGA pairing implementation using the Residue Number System Sylvain Duquesne, Nicolas Guillermin IRMAR, UMR CNRS 6625 Université Rennes 1 Campus de Beaulieu 35042 Rennes cedex, France sylvain.duquesne@univ-rennes1.fr,

More information

Secure Bilinear Diffie-Hellman Bits

Secure Bilinear Diffie-Hellman Bits Secure Bilinear Diffie-Hellman Bits Steven D. Galbraith 1, Herbie J. Hopkins 1, and Igor E. Shparlinski 2 1 Mathematics Department, Royal Holloway University of London Egham, Surrey, TW20 0EX, UK Steven.Galbraith@rhul.ac.uk,

More information

Fast point multiplication algorithms for binary elliptic curves with and without precomputation

Fast point multiplication algorithms for binary elliptic curves with and without precomputation Fast point multiplication algorithms for binary elliptic curves with and without precomputation Thomaz Oliveira 1 Diego F. Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1 CINVESTAV-IPN, Mexico

More information

Efficient Pairings Computation on Jacobi Quartic Elliptic Curves

Efficient Pairings Computation on Jacobi Quartic Elliptic Curves Efficient Pairings Computation on Jacobi Quartic Elliptic Curves Sylvain Duquesne 1, Nadia El Mrabet 2, and Emmanuel Fouotsa 3 1 IRMAR, UMR CNRS 6625, Université Rennes 1, Campus de Beaulieu 35042 Rennes

More information

Singular curve point decompression attack

Singular curve point decompression attack Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015

More information

Faster Pairings on Special Weierstrass Curves

Faster Pairings on Special Weierstrass Curves craig.costello@qut.edu.au Queensland University of Technology Pairing 2009 Joint work with Huseyin Hisil, Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Table of contents 1 Introduction The evolution

More information

8 Elliptic Curve Cryptography

8 Elliptic Curve Cryptography 8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given

More information

Unbalancing Pairing-Based Key Exchange Protocols

Unbalancing Pairing-Based Key Exchange Protocols Unbalancing Pairing-Based Key Exchange Protocols Michael Scott Certivox Labs mike.scott@certivox.com Abstract. In many pairing-based protocols more than one party is involved, and some or all of them may

More information

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction Aurore Guillevic and François Morain and Emmanuel Thomé University of Calgary, PIMS CNRS, LIX École Polytechnique, Inria, Loria SAC,

More information

Implementing Cryptographic Pairings on Smartcards

Implementing Cryptographic Pairings on Smartcards Implementing Cryptographic Pairings on Smartcards Michael Scott, Neil Costigan, and Wesam Abdulwahab School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie

More information

Katherine Stange. Pairing, Tokyo, Japan, 2007

Katherine Stange. Pairing, Tokyo, Japan, 2007 via via Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Pairing, Tokyo, Japan, 2007 Outline via Definition of an elliptic net via Definition (KS) Let R be an integral domain,

More information

Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves

Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves Ezekiel J Kachisa School of Computing Dublin City University Ireland ekachisa@computing.dcu.ie Abstract. Constructing pairing-friendly

More information

arxiv: v3 [cs.cr] 5 Aug 2014

arxiv: v3 [cs.cr] 5 Aug 2014 Further Refinements of Miller Algorithm on Edwards curves Duc-Phong Le, Chik How Tan Temasek Laboratories, National University of Singapore 5A Engineering Drive 1, #09-02, Singapore 117411. arxiv:1305.2694v3

More information

Optimal Pairings. F. Vercauteren

Optimal Pairings. F. Vercauteren Optimal Pairings F. Vercauteren Department of Electrical Engineering, Katholieke Universiteit Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium frederik.vercauteren@esat.kuleuven.be Abstract.

More information

Efficient Algorithms for Pairing-Based Cryptosystems

Efficient Algorithms for Pairing-Based Cryptosystems Efficient Algorithms for Pairing-Based Cryptosystems Paulo S. L. M. Barreto 1, Hae Y. Kim 1, Ben Lynn 2, and Michael Scott 3 1 Universidade de São Paulo, Escola Politécnica. Av. Prof. Luciano Gualberto,

More information

Pairings for Cryptographers

Pairings for Cryptographers Pairings for Cryptographers Steven D. Galbraith 1, Kenneth G. Paterson 1, and Nigel P. Smart 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, United Kingdom.

More information

[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex

[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex Exponent Group Signature Schemes and Ecient Identity Based Signature Schemes Based on Pairings F. Hess Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol,

More information

What About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol?

What About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol? What About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol? Nadia EL MRABET LIRMM Laboratory, I3M, CNRS, University Montpellier 2, 161, rue Ada, 34 392 Montpellier,

More information

GENERATORS OF JACOBIANS OF GENUS TWO CURVES

GENERATORS OF JACOBIANS OF GENUS TWO CURVES GENERATORS OF JACOBIANS OF GENUS TWO CURVES CHRISTIAN ROBENHAGEN RAVNSHØJ Abstract. We prove that in most cases relevant to cryptography, the Frobenius endomorphism on the Jacobian of a genus two curve

More information

Pairings for Cryptographers

Pairings for Cryptographers Pairings for Cryptographers Craig Costello t-craigc@microsoft.com talk based on disjoint work (not mine) by: Steven Galbraith, Kenny Paterson, Nigel Smart August 15, 2012 1 /22 Pairing groups A pairing

More information

Arithmetic Operators for Pairing-Based Cryptography

Arithmetic Operators for Pairing-Based Cryptography Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat 1, Nicolas Brisebarre 2,3, Jérémie Detrey 3, and Eiji Okamoto 1 1 Laboratory of Cryptography and Information Security, University of

More information

Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014

Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014 Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, 2014 1 / 16 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable

More information

arxiv:math/ v1 [math.nt] 21 Nov 2003

arxiv:math/ v1 [math.nt] 21 Nov 2003 arxiv:math/0311391v1 [math.nt] 21 Nov 2003 IMPROVED WEIL AND TATE PAIRINGS FOR ELLIPTIC AND HYPERELLIPTIC CURVES KIRSTEN EISENTRÄGER, KRISTIN LAUTER, AND PETER L. MONTGOMERY Abstract. We present algorithms

More information

A New Family of Pairing-Friendly elliptic curves

A New Family of Pairing-Friendly elliptic curves A New Family of Pairing-Friendly elliptic curves Michael Scott 1 and Aurore Guillevic 2 1 MIRACL.com 2 Université de Lorraine, CNRS, Inria, LORIA, Nancy, France May 21, 2018 Abstract There have been recent

More information

Fast arithmetic and pairing evaluation on genus 2 curves

Fast arithmetic and pairing evaluation on genus 2 curves Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic

More information

Mappings of elliptic curves

Mappings of elliptic curves Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves

More information

Integer multiplication with generalized Fermat primes

Integer multiplication with generalized Fermat primes Integer multiplication with generalized Fermat primes CARAMEL Team, LORIA, University of Lorraine Supervised by: Emmanuel Thomé and Jérémie Detrey Journées nationales du Calcul Formel 2015 (Cluny) November

More information

Ordinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors

Ordinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors Memoirs of the Faculty of Engineering, Okayama University, Vol. 44, pp. 60-68, January 2010 Ordinary Pairing Friendly Curve of Embedding Degree Whose Order Has Two Large Prime Factors Yasuyuki NOGAMI Graduate

More information

Elliptic Curve Discrete Logarithm Problem

Elliptic Curve Discrete Logarithm Problem Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback